How to Decode and Inspect JWT Tokens

Updated: April 5, 2026

JWTs are the standard for API authentication, but they're opaque by design — you can't read them without decoding. This guide shows you how to inspect any JWT token to understand what's inside and whether it's still valid.

When You Need a JWT Decoder

Debugging "401 Unauthorized" errors — is the token expired?
Checking what claims an API token contains
Verifying the token issuer and audience
Understanding the signing algorithm used
Inspecting tokens during OAuth flow development

How to Decode a JWT

Step 1: Open the tool

Go to the JWT Decoder.

Step 2: Paste your token

Paste the JWT (starts with eyJ...). The tool instantly decodes it and shows the three parts color-coded: header (red), payload (purple), and signature (cyan).

Step 3: Inspect claims

The Claims section shows standard JWT claims with human-readable values. The exp claim shows whether the token has expired and how long ago (or how long until expiration).

Understanding JWT Structure

Header

Contains the signing algorithm (alg) and token type (typ). Common algorithms: HS256 (HMAC), RS256 (RSA), ES256 (ECDSA).

Payload

Contains the claims — data about the user, permissions, and token metadata. This is not encrypted, just Base64-encoded — anyone with the token can read it.

Signature

Cryptographic proof that the token hasn't been tampered with. Only the server with the secret/private key can create a valid signature.

Tips

If you see "Expired 0s ago", the token literally just expired — check the clock skew between your system and the server.
JWTs are not encrypted. Never put sensitive data (passwords, credit card numbers) in the payload.
Need to convert a Unix timestamp from the payload? Use the Unix Timestamp Converter.
To decode just the Base64 portion, use the Base64 Encoder.

FAQ

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token format used for authentication and data exchange. It has three parts: a header (algorithm and type), a payload (claims like user ID, expiration), and a signature (cryptographic proof of integrity).

Can this tool verify JWT signatures?

No. Signature verification requires the secret key (for HMAC) or public key (for RSA/ECDSA), which should never be shared publicly. This tool decodes and inspects tokens only — it does not validate authenticity.

Is it safe to paste my JWT here?

Yes. All decoding happens entirely in your browser using JavaScript. Your token is never sent to any server. However, be cautious about sharing JWTs in general — they may contain sensitive claims.

What are the common JWT claims?

exp (expiration time), iat (issued at), nbf (not before), sub (subject/user ID), iss (issuer), aud (audience), and jti (unique token ID). Our tool automatically parses and displays these with human-readable timestamps.

Try It Now

Ready to inspect a token? Open the JWT Decoder — it works entirely in your browser with no sign-up required.